Summary
A security issue was discovered in the in-cluster version of Headlamp where unauthenticated users may be able to reuse cached credentials to access Helm functionality through the Headlamp UI. Kubernetes clusters are only affected if Headlamp is installed, is configured with config.enableHelm: true, and an authorized user has previously accessed the Helm functionality.
Impact
When an authorized user accesses Helm features in Headlamp, credentials are cached in a way that unauthenticated users can subsequently reuse. An unauthenticated remote attacker who can reach the Headlamp UI may exploit this to perform Helm operations with the privileges of the previously authenticated user. The Headlamp desktop version is not affected; only in-cluster installations are at risk.
Detection
Review logs for unexpected access to clusters/main/helm/releases/list and other Helm-related endpoints. Unusual activity on those paths from unauthenticated sessions or sessions that did not independently authenticate may indicate exploitation. If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.
Mitigation
Upgrade Headlamp to v0.39.0 or any later version. The fixed release is available at the Headlamp v0.39.0 release page. For upgrade guidance, refer to the Headlamp documentation.
Prior to upgrading, this vulnerability can be mitigated by ensuring Headlamp is not publicly exposed with an ingress server to limit exposure.